june2022 - 16
FEATURE
How Businesses Can Defend
Against Payment Fraud
THE REMOTE WORK era brought on by the COVID-19 pandemic
has made it even easier for criminals to execute
payment fraud attacks. For most companies, it's become
a matter of when they'll face a fraud attack--not if.
New defenses are needed,
because the nature of cybercrime
is changing. For many years,
cybercriminals focused on softwarebased
attacks such as ransomware.
Vendors hadn't quite caught up to
developing code secure enough to
operate in the hostile environment
that we know is the internet today.
Now vendors have hardened
their systems to the point where
it's inefficient for a bad actor to
carry out an attack using technology
alone. In the last year or two,
we've seen a shift to schemes that
use technology but ultimately rely
on strategies that exploit human
weakness. This is the new frontier
in the battle against payment fraud.
SOPHISTICATED ATTACKS
Any effective security effort relies
on technology, process and people.
Technical security efforts such as
securing hardware, software and
laptops is still important. The ability
to gain unfettered access at the
hardware or software level allows a
bad actor to do literally anything.
Organizations need to double down
on educating and training people
throughout
over the past 24 months we've begun
to see some pretty sophisticated
cyberattacks emerge.
We saw a lot of phishing around
work from home, and again around
returning to the office. There was so
much uncertainty, and people were
so hungry for information, they'd
click on anything that appeared to
offer it. The cybercriminals were
quick to capitalize, and they've
been very nimble in customizing
their attacks.
Here's a great example: For a long
time, Microsoft was the most commonly
spoofed email used in phishing
attacks. A typical attack might be
a fake email from a cybercriminal
saying you needed to update your
password, or act now because you're
running out of mailbox or drive
space. Now, DHL Delivery Service
has surpassed Microsoft as the most
commonly spoofed email because
deliveries have become much more
prominent in our personal and
professional lives.
the organization to
recognize, report and respond to
suspicious activity.
The problem is that many
organizations are still focusing
on technology as the main line of
defense. Criminals are capitalizing
on the fact that they aren't addressing
the whole picture. Add the chaos
and confusion of the pandemic, and
DEEP RECONNAISSANCE
Cybercriminals have also become
very good at business email compromise
(BEC), a key method of
payment fraud. BECs are often very
well designed and thought out. The
cybercriminal will research an
organization, their vendors, and
their processes. It's actually a very
deep reconnaissance effort.
They use the intelligence they've
gathered to pose as a vendor sending
an email request to change bank
16 JUNE 2022 ■ www.CPAPracticeAdvisor.com
By Tony Carothers
account information to one of their
own accounts. These emails might
be constructed as long threads that
contain names and information
simulating the documentation of
the real process. Sometimes they
actually compromise the organization
and take control of the email of
someone in AP or finance and launch
the attack from there. Or, they just
spoof it from another mail server.
In either case, there's no technology
that's going to effectively stop
that attack. That's why information
security today is a counterintelligence
function. You have to be
aware of information that's out
there, and all the ways in which bad
actors might use it. And you have
to communicate that to the entire
organization.
CONTINUOUS THREAT
BRIEFINGS
Software companies try to handle
this with continuous operational
threat briefings. They take real-world
attempted attacks that have been
detected and blocked, and dissect
them. That helps people understand
how attacks are happening and what
they look like.
Software
companies
also
typically work very closely with
business leaders to understand
their processes and where there
might be vulnerabilities. Working
together, the software provider and
business leaders can come up with
very effective and secure processes.
BEYOND " CASTLE
AND MOAT "
IT has historically built what is
called a " castle and moat " , or " eggshell " ,
defense. With this defense
strategy, there's a well-developed,
hardened exterior. Enterprises are
now realizing the shortcomings
of that type of architecture. Data
breaches are still a constant threat,
but criminals now rely more on
people-centered tactics like weaponizing
email. If they can use that to
make it past the hard shell, things
get kind of squishy.
The most effective way to
protect against what's coming is
to address the human element.
Security is always dynamic because
criminals are endlessly creative.
They attack, and we defend. They
study our defenses and find new
ways to attack.
The ultimate defense is creating
an organization-wide security
mindset. It's a culture. It's a way of
thinking that has to be fostered. It's
easier to do than you might think.
You need to develop a programmatic
approach, but it's not that hard
to get people to engage. What we find
is that people are very interested in
learning because they or someone
they know has experienced a cyberattack
in their personal lives. It's not
something that's abstract, or exclusively
work-related. Unfortunately,
it's all too relevant. ■
Tony Carothers is the Security Systems
Engineer at Corpay, a FLEETCOR company.
He has over thirty years of experience
in information security, working in
both the public and private sectors.
http://www.CPAPracticeAdvisor.com
june2022
Table of Contents for the Digital Edition of june2022
The ProAdvisor Spotlight: QuickBooks Online Recertification Window Open Through June 30, 2022
From the Editor: Summertime Blues
From the Trenches: Your Firm and Your Upgrades: Throw It Out!
2022 Tax Season Review: The Good, The Bad and The Ugly
Technology In Practice: Post Tax Season: 10 Tips for Getting the Most Out of Your Tax Season Debrief Meeting
2022 Most Powerful Women in Accounting
The Labor Law Advisor: Pregnant Employees and Employer Obligations
The Risk and Rewards of Big Data
How Businesses Can Defund Against Payment Fraud
The Staffing & HR Advisor: Return to the Office: How to Ready Your Team for the New "Disruption"
The Leadership Advisor: How to Create a Better Advisory Relationship
The Millennial Advisor: Firm Management Lessons from the Grocery Store
7 Principles for Becoming a Better Listener
Creating Digital Experiences is the Future of Remote Work
7 Ways to Improve Your Work-Life Balance as a Firm Owner and Accountant
Independent Contractor Update
Why CPA Firms Need a Top-Notch Website
8 Steps to Finding the Right Software Solutions
R&D Tax Credits Can Help with Software Development
Marketing Your Firm: How Accounting Firms Can Target a Niche Using SEO
Is Your Firm at the Crossroads of Change?
The Secure Act and the Growing Popularity of Roth Conversions?
How to Know When You're Ready to Move to Advisory Services
AICPA News: A round up of recent association news and events
Bridging the Gap: Your Firm's Next Hire: A Project Manager
june2022 - 1
june2022 - The ProAdvisor Spotlight: QuickBooks Online Recertification Window Open Through June 30, 2022
june2022 - 3
june2022 - From the Editor: Summertime Blues
june2022 - 5
june2022 - From the Trenches: Your Firm and Your Upgrades: Throw It Out!
june2022 - 7
june2022 - 8
june2022 - 2022 Tax Season Review: The Good, The Bad and The Ugly
june2022 - Technology In Practice: Post Tax Season: 10 Tips for Getting the Most Out of Your Tax Season Debrief Meeting
june2022 - 11
june2022 - 2022 Most Powerful Women in Accounting
june2022 - 13
june2022 - The Labor Law Advisor: Pregnant Employees and Employer Obligations
june2022 - The Risk and Rewards of Big Data
june2022 - How Businesses Can Defund Against Payment Fraud
june2022 - The Staffing & HR Advisor: Return to the Office: How to Ready Your Team for the New "Disruption"
june2022 - The Leadership Advisor: How to Create a Better Advisory Relationship
june2022 - The Millennial Advisor: Firm Management Lessons from the Grocery Store
june2022 - 7 Principles for Becoming a Better Listener
june2022 - Creating Digital Experiences is the Future of Remote Work
june2022 - 7 Ways to Improve Your Work-Life Balance as a Firm Owner and Accountant
june2022 - 23
june2022 - Independent Contractor Update
june2022 - Why CPA Firms Need a Top-Notch Website
june2022 - 8 Steps to Finding the Right Software Solutions
june2022 - 27
june2022 - 28
june2022 - R&D Tax Credits Can Help with Software Development
june2022 - Marketing Your Firm: How Accounting Firms Can Target a Niche Using SEO
june2022 - Is Your Firm at the Crossroads of Change?
june2022 - The Secure Act and the Growing Popularity of Roth Conversions?
june2022 - How to Know When You're Ready to Move to Advisory Services
june2022 - AICPA News: A round up of recent association news and events
june2022 - Bridging the Gap: Your Firm's Next Hire: A Project Manager
june2022 - 36
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/octobernovember2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/november2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/july2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/march2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_November_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_July_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_June_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_April_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_March_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/november2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/july2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/march2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2019
https://www.nxtbookmedia.com